Spam Emails Masquerade as Adobe Update Notifications

Adobe warns that a spam campaign abusing its name and falsely notifying users about security updates for Adobe Reader and Acrobat is currently making the rounds. The rogue emails cite a real vulnerability and encourage users to download malware disguised as a security update.

In recent years, widespread Adobe products, like Reader or Flash Player, have been a constant source of high risk remote code execution vulnerabilities, many of which released as zero-day and actively exploited in the wild before seeing a patch. Such incidents have attracted so much media attention and public interest that it's understandable why cybercriminals would want to profit from them.

This latest email-based malware distribution campaign warns users about a vulnerability identified as CVE-2010-0193 in MITRE's Common Vulnerabilities and Exposures (CVE) database. The bug was publicly disclosed and addressed by Adobe on April 13 as part of its quarterly update cycle.

The emails instruct users to download an executable file named adbp932b.exe, which is in fact a variant of a backdoor known as Poison or PoisonIvy, depending on what AV vendor you ask. At the time of writing this article, 19 out of the 40 antivirus engines on VirusTotal detected this file as malicious.

The fake emails are signed by a made up Adobe employee named James Kitchin, of a similarly fictitious "Adobe Risk Management" team. "Please be aware that these emails have not been sent by Adobe or on Adobe's behalf. Customers should not click on any links, or open or download any attachments contained in any of these emails. Customers who subscribe to the Adobe Security Notification Service will receive email notifications that ONLY point to security advisories or security bulletins on the adobe.com domain [...], and that NEVER link directly to an executable for a product security update or contain attachments that must be opened," Adobe's Wendy Poland explains on the Product Security Incident Response Team (PSIRT) blog.